> From: [email protected] [mailto:discuss-
> [email protected]] On Behalf Of Bill Bogstad
> 
> As far as I can tell, the problem with DNSSEC isn't with the
> underlying protocols/processes; it is the chicken and egg deployment
> problem.   As Ed Harvey discusses in a different message, not all
> zones are signed.   This causes lots of problems. 

There are lots of possible ways to solve the problem.  A really obvious one 
would be to create a "secure" DNS service, which is functionally equivalent to 
regular DNS, except that all query responses must be signed, and that includes 
signing the "NX_DOMAIN" response, which would then give the client the ability 
to verifiably determine whether or not a secure response should have existed 
for a particular query.  That is, unless a malicious DNS root server provides 
maliciously crafted responses.

Another way would be to mandate that all DNS must be secure by some deadline.  
By brute force and legal intervention, forcibly obsolete insecure DNS.

Another solution would be to simply require all non-DNS communications use 
SSL/TLS.  For example, you don't have to worry about hacked up DNS, if you're 
using https://blahblah.  Because if the DNS response is invalid, your https 
protocol is going to detect an invalid server cert.

And there are some other possibilities as well.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to